Skip to content
Log In

III - Administrative Classified

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000003-UEM-000003

    Group
    Show

  • Microsoft Intune service must initiate a session lock after a 15-minute period of inactivity.

    A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system, but does not log out because of the tempora...
    Rule Medium Severity
    Show

  • SRG-APP-000025-UEM-000014

    Group
    Show

  • Microsoft Intune service must automatically disable accounts and identifiers (individuals, groups, roles, and devices) after a 35-day period of account inactivity.

    Attackers that can exploit an inactive account and identifiers can potentially obtain and maintain undetected access to an application. Owners of inactive accounts will not notice if unauthorized a...
    Rule Medium Severity
    Show

  • SRG-APP-000065-UEM-000036

    Group
    Show

  • Microsoft Intune service must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.

    By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the a...
    Rule Medium Severity
    Show

  • SRG-APP-000068-UEM-000037

    Group
    Show

  • Microsoft Intune service must display the Standard Mandatory DOD Notice and Consent Banner and have the user acknowledge acceptance of the access conditions before granting access to the application.

    Display of the DOD-approved use notification before granting access to the application ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive ...
    Rule Medium Severity
    Show

  • SRG-APP-000125-UEM-000074

    Group
    Show

  • Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.

    Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices. Protection of log data includes ensuring log data is not acciden...
    Rule Medium Severity
    Show

  • SRG-APP-000149-UEM-000083

    Group
    Show

  • Microsoft Intune service must be configured to use a DOD Central Directory Service to provide multifactor authentication for network access to privileged and nonprivileged accounts and individual and group accounts.

    A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromise...
    Rule Medium Severity
    Show

  • SRG-APP-000174-UEM-000104

    Group
    Show

  • Microsoft Intune service must enforce a 60-day maximum password lifetime restriction.

    Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. One method of minimizing this risk is to use complex passwords and p...
    Rule Medium Severity
    Show

  • SRG-APP-000291-UEM-000165

    Group
    Show

  • Microsoft Intune service must notify system administrators and the information system security officer (ISSO) when accounts are created.

    Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply c...
    Rule Medium Severity
    Show

  • SRG-APP-000292-UEM-000166

    Group
    Show

  • Microsoft Intune service must notify system administrators and the information system security officer (ISSO) when accounts are modified.

    When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notificat...
    Rule Medium Severity
    Show

  • SRG-APP-000293-UEM-000167

    Group
    Show

  • Microsoft Intune service must notify system administrators and the information system security officer (ISSO) for account disabling actions.

    When application accounts are disabled, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notificat...
    Rule Medium Severity
    Show

  • SRG-APP-000294-UEM-000168

    Group
    Show

  • Microsoft Intune service must notify system administrators and the information system security officer (ISSO) for account removal actions.

    When application accounts are removed, user accessibility is affected. Accounts are used for identifying users or for identifying the application processes themselves. Sending notification of accou...
    Rule Medium Severity
    Show

  • SRG-APP-000320-UEM-000193

    Group
    Show

  • Microsoft Intune service must notify system administrator and information system security officer (ISSO) of account enabling actions.

    Once an attacker establishes access to an application, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply e...
    Rule Medium Severity
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules